What is Typosquatting?

Cybercriminals register look-alike domains of well-known brands to trick users into accessing a malicious website. Such misspelled, look-alike domains are referred to as typosquatting domains.

These domains are frequently used by cybercriminals for phishing, fraud, social engineering attacks, BEC and ransomware attacks. These attacks can cause financial loss to the customers, hijack employee & user accounts, and damage the reputation of a brand.

Brands should proactively monitor registrations of such domains and the content hosted on them. If any of the domains are found hosting phishing pages or impersonating your brand's identity, then the hosting provider of that domain should be contacted to take down that domain before any significant damage is done to either the brand or its customers.

Threat actors might employ various tactics for registering the look-alike domains. Such as;

  • Domains with alternate TLDs
  • Homoglyph Domains
  • Hyphenated domains
  • Domains with keywords like 'customer-support' or 'login' along with the brand

We can use OSINT Tools like DNSTwist and DNSRazzle to generate live typosquatting domains. More on OSINT here.

In this blog, we take a look at some of the tools that can be used to generate, monitor, and analyze typosquatting domains.

Tools for Generating and Monitoring Typosquatting Domains

DNSTwist - OSINT Typosquatting Tool

DNSTwist is a free & open-source tool that can be used to generate a list of active typosquatting domains. You can access the web version of the tool on dnstwist.it.

For this blog, we tried generating a list of typosquatting domains for netflix.com

Web Version

Results for netflix.com on DNSTwist web version

Web-version only offers domain permutations, GeoIP, nameserver, and MX server checks. Meanwhile, the CLI version available on GitHub allows a few more customizations.

CLI Version

CLI version which is available on GitHub offers customization such as adding TLD lists, word dictionaries and specifying the output data format.

Users can specify the parameters they want to check for, such as GeoIP, MX records, whois, and nameservers, among others.

DNSTwist Scanning Netflix.com

Process

DNSTwist works by generating a list of possible typosquatting domains using various techniques such as

  • Character Addition
  • Character Insertion
  • Character Replacement
  • Character Repetition
  • Homoglyph
  • Character Omission,
  • Transposition,
  • Bit Squatting
  • Vowel Swap

The DNSTwist's default TLD list contains 369 different TLDs, which can be expanded using a separate TLD list file [using argument --tld] to increase the domain generator's capabilities.

DNSTwist additionally includes keyword dictionary files in English, French, and Polish that contain words that are commonly used in phishing campaigns. Users can manually add more keyword dictionaries.

DNSTwist checks DNS records, whois records, and other info on all the generated domains and returned output can be exported to a file in JSON, CSV format.

This file can then be manually examined to identify high-risk domains and phishing pages.

DNSTwist has support for fuzzy hash comparison capabilities for assessing the similarity of a brand's website to a typosquatting URL website to determine phishing or brand impersonation.

Running DNSTwist CLI version,

  • Get DNSTwist from GitHub using  git clone https://github.com/elceef/dnstwist.git
  • Install dependencies using pip3 install -r requirements.txt
  • Run python3 dnstwist.py [Domain Name]
  • You can run python3 dnstwist.py -h to see available options for adding parameters & exporting output to a file.

DNSrazzle - OSINT Typosquatting Tool

DNSrazzle is a free and open-source CLI tool for detecting typosquatting domains and comparing them to the real domain to detect phishing and brand impersonation domains. It generates a list of probable typo squatted domain names using the DNSTwists permutation engine, and then examine if any of those domains are in use.

DNSRazzle Scanning Netflix.com

Process

DNSRazzle generates combinations of lookalike, typo domains using DNSTwists typosquatting domain generation engine.

To enhance the capabilities of the domain generator, the user can specify a custom TLD dictionary file using the parameter --tld.

DNSRazzle features a large keyword dictionary that includes keywords in English, French, top 1 million site subdomains, and more.

To look for phishing, brand impersonation, DNSRazzle takes screenshots of the original domain and the discovered web pages and compares them using computer vision techniques. After comparison with the original page, it assigns a similarity score to the typosquatting page from 0 to 1.

DNSRazzle has support for generating DNS recon reports for each domain using -r or --recon parameter and it can also run a Nmap scan on discovered domains using the parameter -n or --nmap.

After a scan, DNSRazzle saves output data in a text file and screenshots in the screenshot folder by default.

Running DNSRazzle

  • Get DNSRazzle from GitHub using  git clone https://github.com/f8al/DNSrazzle.git
  • Install dependencies using pip3 install -r requirements.txt
  • Run python3 DNSrazzle.py -d [Domain Name]
  • You can runpython3 DNSrazzle.py -h to see available options for adding additional parameters

Bolster's Typosquatting Protection

The Bolster platform delivers intelligence about typosquatting domains as well as offers an interactive dashboard to visualize the data from these domains.

Bolster provides insights such as the top hosting providers for typosqautted domains, top TLDs that are being used to register these domains. Bolster platform offers recommendations for acquiring high-risk domains and delivers monthly reports.

Bolster Platform

Assess your company's risk: Start measuring risks to your online brand with our free, no obligation, Domain Risk Report and Domain Acquisition Analysis.

Features

  • Bolster provides typosquatting domain protection on over 1200 TLDs
  • Bolster detects phishing, frauds, and brand impersonations on typosquatting domains using AI, NLP, and deep learning techniques.
  • Provides whois, MX, GeoIP lookups, logo detection, and natural language analysis to assess the intent of a webpage.
  • If a page is hosting phishing, scam page, or impersonating brand, Bolster will automatically send takedown requests to registrars and hosting providers
  • Suggests domains for acquisition to reduce the chance of squatters obtaining those domains.
  • Checks for brand impersonation using the brand's logo on non-typosquatting domains' websites as well.
  • Bolster offers continuous monitoring and automated takedowns for typosquatting, brand impersonation domains.
Bolster Platform's result for netflix.com

Comparison

DNSRazzle and DNSTwist are both free and open-source tools meanwhile Bolster Platform is proprietary. Few other matrices are compared in the table below

Tools Comparison

Process of finding Typosquats and phishing

  • Steps used for finding typosquatting domains and phishing on these domains by each tool are as follows
Process Flow of Each Tool

Results Comparison

  • For testing these tools, we ran a scan for lookalike domains of Netflix. And results from the 3 tools are follows
Output Results Comparison
  • Over 2610 typosquatting domains were discovered by Bolster Platform, with 2401 of them being active. Meanwhile, DNSRazzle and DNSTwsit were only able to find 1295 and 1453 domains, respectively, with just 188, 195 of those being active respectively.
  • DNSTwist identified 34, while bolster platforms discovered 160 domains with MX records.
  • In contrast, Bolster's report includes intuitive data visualizations, but other solutions lack a report preparation mechanism and require manual data analysis.
Top Hosting provides and TLD for Netflix typosquat domains according to Bolster's report
Data found by Bolster Platform

Assess your company's risk: Start measuring risks to your online brand with our free, no obligation, Domain Risk Report and Domain Acquisition Analysis.

Conclusion

DNSTwist and DNSrazzle are very good open source and free tools. However, it's evident that the Bolster platform detected a greater number of active typosquatting and phishing domains.

DNSTwist and DNSrazzle require manual execution of the script and manual post-execution data analysis. In addition, you'd have to send takedown requests to each hosting provider and registrar of each domain. This can take a significant amount of time.

Meanwhile, Bolster offers 24x7 monitoring and every step on the Bolster platform is automated. From detection to takedown requests, the entire process only takes 2 minutes.

About Us

Thank you for reading this blog! This blog is published by Bolster Research Labs. We are also creators of https://checkphish.ai -  a free URL scanner to detect phishing and scams sites in real time.

If you are interested in advanced research and uncovering of new scams or working with cutting edge AI, come work with us at the Bolster Research Labs. Check out open positions here

Resources

DNSRazzle [GitHub]
DNSTwist [Website] [GitHub]
Bolster 2022 State of Phishing and Online Fraud Report
Bolster Global Fraud Index
Bolster Brand Protection
Bolster Domain Monitoring
Bolster Fraud Prevention
Bolster Phishing & Scam Protection